Steve TueckeThe University of Chicago
Globus Auth
Enabling an extensible, integrated ecosystem of services and applications for the research and education community.
Cloud has transformed how platforms and software are delivered
2
Infrastructureasaservice:IaaS
Platformasaservice:PaaS
Softwareasaservice:SaaS
PaaS enables more rapid, cheap, and scalable delivery of powerful apps—as SaaS
(web & mobile apps)
Globus and
• XSEDE adopted Globus SaaS early– Much usage of Transfer and Sharing
3
4
Globus SaaS: Research data lifecycle
Researcher initiates transfer request; or requested automatically by script, science gateway
1
InstrumentCompute Facility
Globus transfers files reliably, securely
2
Globus controls access to shared
files on existing storage; no need
to move files to cloud storage!
4
Curator reviews and approves; data set
published on campus or other system
7
Researcher selects files to share, selects user or group,
and sets access permissions
3
Collaborator logs in to Globus and accesses shared files; no local
account required; download via Globus
5
Researcher assembles data set;
describes it using metadata (Dublin core and domain-
specific)
6
6
Peers, collaborators search and discover datasets; transfer and share using Globus
8
Publication Repository
Personal Computer
Transfer
Share
Publish
Discover
• Only a Web browser required
• Use storage system of your choice
• Access using your campus credentials
5
Globus by the numbers
4major services
13national labs use Globus
135 PBtransferred
10,000active endpoints
20 billion files processed
~400 active daily users
31,000registered users
99.9%uptime
35+institutional subscribers
1 PBlargest single
transfer to date
3 months longest
continuously managed transfer
130federated
campus identities
No Globus usernames required!(coming tomorrow)
• Globus users no longer require a Globus username & password– Old Globus usernames moved to separate,
optional “Globus ID” identity provider
• Any identity recognized by Globus is now sufficient to access Globus
• Globus Account is a primary identity plus a set of linked identities – Verified email address can be a linked identity
7
Demo
• Using Globus with any identity• Sharing with any identity
8
Globus and
• XSEDE adopted Globus SaaS early– Much usage of Transfer and Sharing
• XSEDE now adopting Globus PaaSas the XSEDE platformà Any science gateway can now
integrate trivially with XSEDE services, including Globus transfer
9
A science CI platform can spur creation of a science CI ecosystem
10
Infrastructureasaservice:IaaS
Platformasaservice:PaaS
Softwareasaservice:SaaS(webandmobileapps)
In so doing, we can slash costs, improve quality, and accelerate discovery across the sciences
A science CI platform can spur creation of a science CI ecosystem
11
Infrastructureasaservice:IaaS
Platformasaservice:PaaS
Softwareasaservice:SaaS(webandmobileapps)
In so doing, we can slash costs, improve quality, and accelerate discovery across the sciences
2010-
2014-
Globus PaaS: Ecosystem enabler
Auth & Groups…
Globus Toolkit
Glo
bus
API
s
Glo
bus
Conn
ect
Data Publication & Discovery
File Sharing
File Transfer & Replication
12
Globus PaaS at NCAR• Research Data Archive
at NCAR• Integrate Globus for
data downloads• Shared endpoint with
subfolder per request• Single sign on via
streamlined account provisioning
Globus Auth
• Foundational identity and access management (IAM) platform service
• Brokers authentication and authorization interactions between:– end-users– identity providers: XSEDE, InCommon, web apps– resource servers: services with REST APIs– clients: web, mobile, desktop, command line apps– resource servers acting as clients to other
resource servers
14
Based on widely used web standards
• OAuth 2.0 Authorization Framework– aka OAuth2
• OpenID Connect Core 1.0– aka OIDC
• Allows use of standard OAuth2 and OIDC libraries– E.g., Google OAuth Client Libraries (Java,
Python, etc.), Apache mod_auth_openidc
15
Globus Auth is “authorization server”
16
ResourceServer
AuthorizationServer
(GlobusAuth)
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
Globus Auth is “authorization server”
• Using existing identities: – XSEDE, University (via
InCommon), Google, web app, etc.
• User can link multiple identities into a single Globus Account
• No Globus username & password (Globus ID) required
• Globus Auth handles naming details(e.g., ePPN vs ePTID) 17
ResourceServer
AuthorizationServer
(GlobusAuth)
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
(1) Authenticates a resource owner
Globus Auth is “authorization server”
• Resource is provided by a resource server
• Limited by a scope
18
ResourceServer
AuthorizationServer
(GlobusAuth)
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
(1) Authenticates a resource owner(2) Obtains authorization (consent) for a client to access a resource
consent
Globus Auth is “authorization server”
19
ResourceServer
AuthorizationServer
(GlobusAuth)
access token
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
(1) Authenticates a resource owner(2) Obtains authorization (consent) for a client to access a resource(3) Issues OAuth2 access token to client
• Access token is opaque to client
• May include a refresh token, for offline access
Globus Auth is “authorization server”
JWT id_token:sub: Globus Auth identity idiss: https://auth.globus.orgname: full namepreferred_username:
e.g., [email protected]: email contactother standard OIDC claims
20
ResourceServer
AuthorizationServer
(GlobusAuth)
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
(1) Authenticates a resource owner(2) Obtains authorization (consent) for a client to access a resource(3) Issues OAuth2 access_token to client(4) May issue OIDC id_token to client with resource owner identity
id_token
Globus Auth is “authorization server”
21
ResourceServer
AuthorizationServer
(GlobusAuth)
Authorization: Bearer <access_token>
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
(1) Authenticates a resource owner(2) Obtains authorization (consent) for a client to access a resource(3) Issues OAuth2 access_token to client(4) May issue OIDC id_token to client with resource owner identity(5) HTTPS/REST call with access_token
Globus Auth is “authorization server”
RFC 7662: OAuth 2.0 Token Introspection response:
active: true or falseclient_idscopesub: Globus Auth identity idusername: [email protected]
identity_set: linked identitiesemailnameother standard claims 22
ResourceServer
AuthorizationServer
(GlobusAuth)
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
(1) Authenticates a resource owner(2) Obtains authorization (consent) for a client to access a resource(3) Issues OAuth2 access_token to client(4) May issue OIDC id_token to client with resource owner identity(5) HTTPS/REST call with access_token(6) Validates access_token for resource server, and gets additional information
access_token
Globus Auth is “authorization server”
23
ResourceServer
AuthorizationServer
(GlobusAuth)
IdentityProviders
IdentityProviders
IdentityProviders
Client HTTPS/REST call
ResourceOwner
DependentResourceServers
(1) Authenticates a resource owner(2) Obtains authorization (consent) for a client to access a resource(3) Issues OAuth2 access_token to client(4) May issue OIDC id_token to client with resource owner identity(5) HTTPS/REST call with access_token(6) Validates access_token for resource server, and gets additional information(7) Issues dependent access tokens to resource server
Allows resource server to act as client to other resource servers
Simple web app server login
Simple web app server login
• OAuth2 Authorization Code Grant with Globus Auth– With OIDC scopes: openid email profile
• User logs into Globus account using their favorite identity provider• Globus Auth returns OIDC id_token to the web server
– With identity sub (unique id), name, preferred_username, email
• Client policy can require identity from a particular identity provider25
WebAppServer (Client)
GlobusAuthBrowser
id_token
IdentityProviders
IdentityProviders
IdentityProviders
Login + Globus Auth REST API
• OAuth2 Authorization Code Grant with Globus Auth– With OIDC scopes: openid email profile– And scope: urn:globus:auth:scope:auth.globus.org:view_identies
• Globus Auth returns OAuth2 access token to Web App Server (OAuth2 client) for use with Globus Auth REST API
• Web App Server calls Globus Auth REST API with access token– Authorization: Bearer <access_token>– Get identity information, including full set of linked identities
26
(2) REST callsw/ access_token
(1) id_token,access token
WebAppServer (Client)
GlobusAuthBrowser
IdentityProviders
IdentityProviders
IdentityProviders
Browser-based web app login
27
Browser-based web app login
• OAuth2 Implicit Grant– With OIDC scopes: openid email profile
• Globus Auth returns OIDC id_token to the browser-based Javascript client– With identity sub (unique id), name, preferred_username, email– Client policy can require identity from a particular identity provider
28
BrowserJSWebApp(Client)
WebAppServer
GlobusAuthid_token
IdentityProviders
IdentityProviders
IdentityProviders
Globus transfer integration
• OAuth2 Authorization Code Grant with Globus Auth– Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all
• Globus Auth returns OAuth2 access token to Web App Server (OAuth2 client) for use with Globus Transfer REST API
• Web App Server (OAuth2 client) calls Globus Transfer REST API– Authorization: Bearer <access_token>
29
(2) access_token GlobusTransfer
WebAppServer (Client)
GlobusAuth
Browser
(3) Verify access token
(1) id_token,access token
Using existing web app identities
• Web App Server does OAuth2 Authorization Code Grant with Globus Auth– Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all
• Globus Auth does OIDC login with Web App Identity Provider• Results in Web App Server having:
– User login information from own Web App Id Provider– Access token(s) that it can use with REST APIs for Globus Transfer, XSEDE, etc.
• SSO to your web app and Globus using only your web app identities! 30
GlobusTransfer
WebAppServer (Client)
GlobusAuth
Browser
IdentityProviders
IdentityProviders
WebAppIdProvider(OpenID Connect)
id_token,access token
Research data portal
31
ScienceDMZ
Research data portal
• Move portal storage into Science DMZ, with Globus endpoint– High performance, managed storage
• Leave Portal Web server behind firewall
• Globus handles the data heavy lifting
32
GlobusTransfer
PortalWebServer (Client)
GlobusAuth
Browser
User’sEndpoint
PortalEndpoint
XSEDEEndpoint
ScienceDMZ
HTTPS to endpoints (coming soon)
• Globus Connect Server will soon allow HTTPS access to endpoint storage
• Your web application can directly link to files on the Portal Endpoint
• Globus Auth and Transfer mediated security– Restrict HTTPS access to files by particular users and groups
33
GlobusTransfer
PortalWebServer (Client)
GlobusAuth
Browser
PortalEndpoint
HTTPS to Globus Endpoint
Globus Web App Integration
34
Globus Web App integration
• OAuth2 Authorization Code Grant with Globus Auth– Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all– Globus Auth returns OIDC id_token & OAuth2 access token to client
• Web App Server can redirect browser to Globus Web App pages– Globus Web App can be skinned to look like Web App Server– Globus Web App provides special pages for selecting files and selecting a group
• Globus Auth provides single sign-on across multiple apps35
GlobusTransfer
WebAppServer (Client)
GlobusAuth
Browser
GlobusWebApp
(1) id_token,access token1
(2) access_token1
(3) Redirect (4) id_token,access token2
(5) access token2
Other resource servers
36
XSEDE services integration
• OAuth2 Authorization Code Grant with Globus Auth– Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all
urn:globus:auth:scope:api.xsede.org:all– Globus Auth returns OIDC id_token & OAuth2 access tokens to client
• Globus Auth returns different access tokens for different resource servers• Web App Server calls each resource server with appropriate access token
37
(2) access_token1 GlobusTransfer
WebAppServer (Client)
GlobusAuth
Browser
GlobusWebApp
XSEDEservices
(3) access_token2(1) id_token,
access tokens
Add your own resource servers
• OAuth2 Authorization Code Grant with Globus Auth– Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all
urn:globus:auth:scope:api.xsede.org:all urn:globus:auth:scope:api.example.com:all– Globus Auth returns OIDC id_token & OAuth2 access tokens to client
• Resource Server must register with Globus Auth– Resource server policy can require identity from a particular identity provider
38
GlobusTransfer
WebAppServer (Client)
GlobusAuth
Browser
GlobusWebApp
XSEDEservices
Yourservice
(2) access_token3
(3) Verifyaccess_token3
(1) id_token,access tokens
Both client and resource server
• Web App Server can be both a client and a resource server
• Another Client can use any OAuth2 grant with Globus Auth to get access_token for your Web App Server– Scope: urn:globus:auth:scope:api.example.com:all
39
WebAppServer(Client&ResourceServer)
GlobusAuth
Browser
(1) Getaccess_token
(2) REST calls w/access_token
AnotherClient
(3) Verifyaccess_token
Dependent resource servers
• OAuth2 Dependent Token Grant with Globus Auth– Scopes: openid email profile urn:globus:auth:scope:api.example.com:all
• Resource Server registers its Globus Transfer dependency with Globus Auth
• Resource Server uses request access token to get dependent access tokens
• Resource Server uses dependent access token to call Globus Transfer40
GlobusTransfer
WebAppServer (Client)
GlobusAuth
Browser (1) id_token,access tokens
ResourceServer
(2) access_token3
(3) Get dependentaccess tokensfor access_token3
(4) Dependentaccess_token4
Mobile applications
• Globus Auth will be adding support for mobile apps– “Log in with Globus” in mobile apps
o RFC 7636: Extension to OAuth2 to allow OAuth2 Authorization Code Grant to work from mobile apps
– Mobile apps can call any resource server REST APIs that use Globus Auth
– iOS and Android
41
An extensible platform for CI
• Globus provides foundation and other services• Community can extend to meet domain-specific
and domain-independent needs
42
Foundation services: Globus Auth, Groups, etc.
AWS, Google, Azure services
Domain-independent and domain-specific services
Apps
Come to Chicago in April to learn more!
Summary
• Globus no longer requires a Globus username and password
• Globus Auth makes it easy to:– add user login to your web app– integrate with Globus, XSEDE, and other
services– add OAuth2 support to your service’s REST
API– create services to leverage other services
44
Together we can create an integrated ecosystem of services and applications
for the research and education community
45
Thank you to our sponsors!U.S . DE PARTMENT OF
ENERGY
46